For Suppliers

Cybersecurity Information

Covered Defense Information, Including Controlled Unclassified Information

On October 21, 2016, the Department of Defense (DoD) published the final rule for Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This represents DoD’s ongoing efforts to prevent improper access to important unclassified information. As a result, contractors must provide security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171. A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor and that also processes, stores, or transmits covered defense information (CDI).

APL’s Annual Representations and Certifications includes questions about your company’s ability to handle CDI, such as Controlled Unclassified Information (CUI), in compliance with the cyber DFARS clause 252.204-7012. We recommend that you check with your IT security professionals and legal counsel during the certification process.

It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it. In particular, DFARS 252.204-7019 requires that contractors perform self-assessments that are submitted to the Supplier Performance Risk System (SPRS) before working with CUI. DFARS 252.204-7020 also requires that suppliers be verified.

The applicable flow-down clauses are included in APL’s terms and conditions for its partner suppliers. The DFARS clauses are required to be flowed down in any subcontracts or similar contractual agreements in which subcontract performance will involve CDI, including CUI. This clause must be flowed down without modification. We appreciate your partnership to minimize risk and safeguard our sensitive information.

Cybersecurity Maturity Model Certification

In 2025, the Department of Defense (DoD) plans to finalize its Cybersecurity Maturity Model Certification (CMMC) program. Industry experts estimate it can take 12–18 months to prepare for CMMC certification. CMMC compliance will be a requirement at the time of contract award. The full details of the requirements, to include the phased implementation plan stating when the requirements apply, will be defined in the final CMMC rule. APL recommends that our partners become familiar with CMMC requirements and plan to meet the requirements well in advance.

CMMC is a DoD program that confirms that organizations have implemented existing security requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). When the CMMC rule is final and in effect, all DoD contractors and subcontractors, except companies that are solely providing commercial off-the-shelf (COTS) items, must achieve compliance with CMMC requirements to be eligible for contract award. Suppliers will be responsible for ensuring their organization can meet all of the cybersecurity requirements. When CUI is required as part of the contract, a CMMC certification assessment will require suppliers to source an official CMMC Third-Party Assessment Organization (C3PAO) who will conduct a formal assessment and report the results to DoD. At CMMC Level 3, a DoD assessment is also required.

CMMC Levels

CMMC Level 1

Required for contractors and subcontractors who will store, process, or transmit FCI. CMMC Level 1 requires a self-assessment against cybersecurity requirements currently required under FAR 52.204-21.

CMMC Level 2

Required for contractors and subcontractors who will store, process, or transmit CUI on their network or in the cloud. CMMC Level 2 requirements are the same as the requirements in DFARS clause 252.204-7012: NIST SP 800-171 Rev. 2 for network systems and FedRAMP Moderate or equivalent for cloud services.

CMMC Level 3

Similar to CMMC Level 2, CMMC Level 3 will require a certification assessment. However, because of the highly sensitive nature of the CUI involved, a government assessment is also conducted.

As stated above, it is estimated that it may take 12–18 months to prepare for CMMC certification. We recommend that all suppliers prepare now to ensure readiness to meet CMMC requirements in advance of new contract awards based on the timeline that will be announced in the rule, anticipated to start in 2025.

CMMC implementation timeline
Source: Department of Defense Chief Information Officer

Learn more about the complete details regarding CMMC and the existing regulations using the following resources.

Additional CMMC Resources

Overview

  • CMMC is a DoD rule effective December 16, 2024.
    • It is a three-tiered model (CMMC Levels 1–3) of increasing requirements to protect different data types.
  • CMMC Levels 1 and 2 will validate 100% compliance with existing regulations.
  • CMMC will be a condition of contract award when the rule is in effect.
  • CMMC will apply to all contracts, subcontracts, and other contractual instruments.
    • This includes subcontracts for the acquisition of commercial products or commercial services
    • This excludes COTS items
CMMC Resources

Work with APL

Contact Us